How to select a particular public key when verifying a signature?

Vladimir A. Pavlov pv4 at bk.ru
Sat Dec 17 15:22:28 CET 2011


Hi!

I'd like to start using gnupg for information exchange but there is an issue I don't understand. I've read gnupg documentation and didn't find a solution so that I even think gnupg is not supposed to do what I expect from it.

Consider the following situation.

I have two friends: Alice and Bob. I added their publick keys (Alice's AAAAAAAA and Bob's BBBBBBBB) to my keyring. Now Bob sends me a signed file. When I verify the signature the file appears to be signed by Alice's key. But gpg doesn't give me an error, it just tells me the file was signed with AAAAAAAA key so that I have to look at the message and discover the key doesn't correspond to the sender.

Bob has obviously got Alice's key that should not happen. But it happened. Alice could revoke her key and create a new one but she doesn't even currently know the key was stolen.

One solution to prevent such a situation is to use two different keyrings for Alice's key and Bob's one and store each key in separate keyring. When verifying a file I can use --homedir to select whose key to use. But it seems difficult and not graceful for me especially if I have more friends.

Another solution is to select a particular key to be used for verification. I tried -u but it works only when signing a file, not when verifying it.

So:

1. Is there a way to select a key to verify a file with?
2. If not, is gnupg expected to deal with issues like the pointed above at all? Or should I just use another program (for example, openssl) to verify signatures?
3. If gnupg can handle the situation above, how can that be done? Do I misunderstand what gnupg is about and should I change my workflow to meet gnupg opportunities?

--
Vladimir


More information about the Gnupg-users mailing list